Dawnscanner – The raising security scanner for Ruby web applications
dawnscanner is a source code scanner designed to review your ruby code for security issues.
dawnscanner is able to scan plain ruby scripts (e.g. command line applications) but all its features are unleashed when dealing with web applications source code. dawnscanner is able to scan major MVC (Model View Controller) frameworks, out of the box:
dawnscanner version 1.6.6 has 235 security checks loaded in its knowledge base. Most of them are CVE bulletins applying to gems or the ruby interpreter itself. There is also some check coming from Owasp Ruby on Rails cheatsheet.
When you run dawnscanner on your code it parses your project Gemfile.lock looking for the gems used and it tries to detect the ruby interpreter version you are using or you declared in your ruby version management tool you like most (RVM, rbenv, …).
Then the tool tries to detect the MVC framework your web application uses and it applies the security check accordingly. There checks designed to match rails application or checks that are applicable to any ruby code.
It can also understand the code in your views and to backtrack sinks to spot cross-site scripting and sql injections introduced by the code you actually wrote. In the project roadmap, this is the code most of the future development effort will be focused on.
dawnscanner security scan result is a list of vulnerabilities with some mitigation actions you want to follow in order to build a stronger web application.
- Removed signing certificate. This will solve issue #233 and #229
- Removed datamapper support. I will change to active_record sooner or later. This will solve issue #232 and issue #218
Copyright (c) 2013-2016 Paolo Perego firstname.lastname@example.org